top of page

Helping CUs Navigate the Compliance Minefield

  • Writer: Roy Urrico
    Roy Urrico
  • 2 hours ago
  • 6 min read

By Roy Urrico


 

Vancouver, British Columbia-based Integrated Financial Technologies (IFT) announced the launch of its Fortitude compliance program, which lets credit union administrators determine whether their internal or outsourced member support teams are maintaining the necessary compliance with all data security and privacy regulations, industry standards, and regulatory mandates.

 

IFT, a provider of back-office solutions for portfolio management to credit unions, lenders, and businesses across North America, created Fortitude “to help credit unions navigate the compliance minefield,” Tod Chisholm, president at IFT told Finopotamus. The program uses its AI-driven Ignite platform to conduct real-time quality assurance, agent monitoring and training, granular performance reporting and metrics.


Tod Chisholm, president at IFT.
Tod Chisholm, president at IFT.

 "Many of the companies we work with are shocked to learn the extent to which their departments are bypassing compliance regulations, whether inadvertently or purposefully. Often employees or external teams simply do not understand the full implications of the mandates, or their systems and processes are not properly aligned," said Chisholm. "Regular assessments are instrumental in maintaining a successful, ongoing compliance program. Not only does it reveal any violations, but it documents that companies have taken a diligent approach and demonstrates ongoing and consistent adherence."

 

Developing Fortitude

 

Fortitude creates actionable recommendations to help improve both compliance and member engagement of a financial institution’s contact center solutions, CRM integrations, firewalls, and cybersecurity tools, in addition to any of the accountholder-facing digital channels, according to IFT.

 

IFT teams rely on the hundreds of compliance-related and operational assessments it has done for business organizations over the years as part of their onboarding process. “Our legacy is as a lender for various verticals,” said Chisholm. “We've had a number of customers where we've taken on servicing from other providers for credit unions and others where the incumbent was not doing things in a compliant fashion.” According to IFT discoveries, many companies do not realize they or their contracted teams are in violation of mandates, and in some instances, are ignoring these regulations.

 

Chisholm recalled organizations wanted IFT to “look and see what our operations are doing when it came to compliance with regulations. We found in most cases there are gaps, in some cases giant leaking holes.” Those findings helped IFT crystallize the need to provide more compliance or governance consulting when it comes to financial institutions’ secure handling and use of personal and financial data.

 

That led to the development of Fortitude. “Call it a consulting report to identify what (organizations) may or may not be using that meets the regulatory compliance,” explained Chisholm. “It is not a particularly high-cost item. It is really more a limited engagement — a come in and take a look under the hood (program) — to take a look and see what they are doing and how they are doing it, and provide them with any recommendations we have.”

 

Chisholm noted, “Our gamble is that they may continue on with us to take over some of that servicing or providing more services. If that is the case, we will use the money that they paid for the consulting report as a future credit towards ongoing servicing work.”


 

Addressing an Increased Need

 

“The need (to have a compliance review) seems to have amplified a lot, particularly in the credit union space because big banks have a lot of money to spend on things like this,” said Chisholm. “If they reach out to us (or we reach out to them) and offer those services, the first thing we do is define scope,” said Chisholm. He noted the Fortitude process is not dissimilar to the way IFT would onboard a new client for one of its back-office solutions. “It is like a scope meeting that entails many of these same details. So, we kind of have the skillset already built in.”

 

Chisholm further explained, “We would recommend that you take a look at typical hot points, both regulatory and operationally. Then there is usually a refinement. Or they may actually come to the table with a problem with ‘X, Y, Z provider,’ or ‘we have an issue in our call center,’ or ‘we know we have an issue because we had a regulatory finding in our last review.’”

 

He described the Fortitude process as “probably a four-week engagement, maybe as much as eight weeks, to meet with the individual departments, meet with the managers, review whatever results and reporting they have had in the past. Then for us to prepare an outcome, ‘here's all the things that we found, here's best practices and here's some of the gaps.”

 

From there, the IFT team discusses the next steps. “There is no commitment. You can take that document and you can try and do it all yourself if you want. But obviously we are prepared to continue on the engagement and help them through that process.”

 

Chisholm insisted, “What we do is not really a secret sauce. We go through and we just document what they do now and the providers they are using both internal and external in the systems and technologies.” Then IFT benchmarks those from a regulatory and operational effectiveness standpoint against what makes sense in their industry. “So, if they're an auto finance company or if they're a credit union doing auto finance, then we compare it to what we would consider regulatory compliant and operationally effective.”

 

Dealing with Urgency

 

One of the bigger factors is the sense of urgency when it comes to compliance and regulations, noted Chisholm. Because credit unions, like other financial institutions, can deal with both internal and external agents, some working remotely, he said they must consider risk vectors such as those centering around AI generated cyberthreats, and the handling of personal and financial data.

 

IFT helps financial institutions in the U.S. and Canada. “So, IFT knows the landscape in both the U.S. and Canada, and there are some differences, but each have their own stringent regulations. If you are a credit union that is out of compliance, the risk can be substantial in terms of penalties and things like that.”

 

In the U.S. banking sector, SOX usually refers to Sarbanes-Oxley Act of 2002 compliance, which mandates strict internal controls over financial reporting to prevent fraud. It is a legally binding requirement for all publicly traded financial institutions and their subsidiaries. The Canadian equivalent to Sarbanes-Oxley compliance is C-SOX (Canadian Securities Administrators' National Instrument 52-109), which mandates that public companies establish internal controls for financial reporting and certify their accuracy.

 

“It all starts with data security first of all. the acronyms are different in Canada and the U.S. but we have done enough of this to know as that it really is primarily just the acronyms that are different,” said Chisholm. He continued. “The actual underlying regs are fairly similar in most respects.”

 

“It's always either state or provincial, usually for credit unions, unless they are federally regulated,” said Chisholm. He pointed out, “You've got a virtual call center, you've got an agent in the call center, how do you control that they're not that is screen capturing, private customer data and sending it to somebody, or if you're using an external vendor, how are you ensuring that they have the controls in place to do that from that standpoint.”

 

Not a Cure-All

 

Chisholm described two portfolios IFT onboarded in the last year. “In both cases, the servicer that they had contracted to do (the compliance overview) actually did not know how to do the work.” Yet the organizations, he added, were still paying for the compliance service. Not only were the organizations faking work, the operations were not compliant. “They could not produce any of the records, it caused a great deal of difficulties and then (came) an urgent need to transition to our business to be able to service it for them. And that is not atypical right now. The typical credit union does not have 50 people working in a compliance department.”

 

The more innovation and the more the technology that enters into member service with call centers, the greater the risk of threats. “This is something that government and industry regulators are paying strict attention,” suggested Chisholm.

 

“(IFT Fortitude) is not a panacea, but I can tell you it makes the regulators feel a lot better when you say, ‘I've had this evaluated by an external third party,’” said Chisholm. “That goes a long way particularly with the regulators who tend to trail the technologies and the things that are available now. They are usually a couple years behind what is actually happening.

bottom of page